What Can You Do After a HIPAA Breach?

Every so often, I pick up the phone to hear a distressed voice on the other end of the line. The circumstances of each caller slightly differ, but the overarching question remains the same: as a victim of a HIPAA breach, what can I do? As the bearer of bad news, the unfortunate answer is very little.


Congress enacted the Health Insurance Portability and Accountability Act (“HIPAA”) in large part to provide security and privacy for protected health information (or “PHI”[1]) in the possession of a “covered entity.”[2] Through its creation, Congress delegated enforcement of HIPAA to the Secretary of the Department of Health and Human Services (or “HHS”), and provided the Secretary with the power to impose penalties on violators.

Unfortunately, noticeably absent from HIPAA is a victim’s right to sue. Although no language exists in the HIPAA statute which expressly prohibits the initiation of a lawsuit, courts have almost unanimously held that HIPAA does not afford individuals any private right of action. Just this month, a Tennessee federal court affirmed the principle that “HIPAA creates neither an express nor an implied cause of action for private citizens to enforce its terms.” [3] Instead, the only right to sue belongs to the government, as state attorneys general have authority to bring civil actions on behalf of their state residents for violations of HIPAA.

With no ability to sue under HIPAA, what can you do? Plain and simple, the only real “remedy” — if you even dare call it that — is the right to complain. The Office of Civil Rights, located within HHS, has enforcement authority to investigate and punish HIPAA violators. Through its online portal, a victim who believes a person, agency, or organization violated his (or someone else’s) health information privacy rights may file a complaint so long as the complaint comes within 180 days from when the victim knew the alleged incident occurred.

Although the OCR represents “careful review” of all complaints, there isn’t a lot of public information widely known about the investigation process. The end of the investigation process in which a violation has occurred yields a letter from the OCR which requests from the violator one of three resolutions: (1) voluntary compliance with HIPAA; (2) corrective action; or (3) an agreement to a settlement.


With no clear avenue under HIPAA to sue, all is not completely lost for victims. Medical data breach cases around the country continue to crop up where attorneys and claimants file suit on a legal theory separate from sole reliance on HIPAA. For example, some of these lawsuits rested upon the theory of basic negligence. Courts have allowed claimants to argue a covered entity’s failure to adhere to HIPAA requirements represents a breach of the “standard of care,” and such breach of the appropriate standard of care resulted in a negligent act. [4]

In Tennessee, a federal court has allowed a Plaintiff to move forward with her negligence claim based upon a violation of HIPAA. [5]  The Tennessee court held that

HIPAA’s provisions do not completely preempt state law and expressly preserve state laws that are not inconsistent with its terms.

No other case law exists in Tennessee in which courts have addressed whether HIPAA preempts state-based privacy claims. Nonetheless, the Harmon case could provide victims and their attorneys with the sliver of opportunity needed to assert future actions.


When people are disappointed to hear HIPAA offers no exact pathway to a lawsuit, I first remind them that the law is always changing. As courts around the country continue to grapple with the issue of whether a HIPAA violation can give rise to other legal actions, the dust will settle and the picture will slowly come into focus. Whether a HIPAA violation results in your eventual pursuit of a legal claim or not, exercise your right to complain. You may ask yourself: what’s the point? Think of it like this — your complaint’s instigation of an OCR investigation may ultimately yield a conclusion of wrongdoing, and this just might produce the kind of wholesale changes that dictate how an organization or agency protects patient information in the future.


Have any more questions or concerns about the protection of personal health information? Contact me, or just follow me on twitter @CyberSecureAtty





[1] HIPAA broadly defines “Protected Health Information” as “individually identifiable health information” — which is health information, including demographic information, that “relates to the past, present or future physical or mental health or condition of an individual; the provision of health care to an individual; . . . or the past, present, or future payment for the provision of health care to an individual” and either identifies the individual or provides a reasonable way by which to identify the individual. See 45 C.F.R. § 160.103

[2] “Covered entities” in charge with the protection of health information and to whom HIPAA applies include the following: health plans, healthcare clearinghouses, and healthcare providers. To determine if an agency, organization or individual falls within a “covered entity,” consult guidance offered by the OCR.

[3] Thomas v. Univ. of Tennessee Health Sci. Ctr., No. 217CV02263SHMTMP, 2017 WL 2570907, at *2 (W.D. Tenn. June 14, 2017).

[4] See Byrne v. Avery Ctr. for Obstetrics & Gynecology, P.C., 102 A.3d 32 (Conn. 2014).

[5] Harmon v. Maury Cty., TN, No. 1:05 CV 0026, 2005 WL 2133697 (M.D. Tenn. Aug. 31, 2005).